AWS organizations documentation change
Summary
Updated malware scanning configuration documentation for AWS Backup, including syntax changes for scan_actions/scan_settings, added ScanMode options (INCREMENTAL_SCAN/FULL_SCAN), and detailed example configurations for GuardDuty Malware Protection integration
Security assessment
The changes document security-focused malware scanning capabilities integrated with Amazon GuardDuty. While this adds security feature documentation (malware detection in backups), there is no evidence of addressing a specific vulnerability - rather this appears to be standard documentation for a security capability. Emphasis on IAM role permissions and scanning configurations shows security awareness but doesn't indicate remediation of a security issue.
Diff
diff --git a/organizations/latest/userguide/orgs_manage_policies_backup_syntax.md b/organizations/latest/userguide/orgs_manage_policies_backup_syntax.md index f27258d9f..362f56088 100644 --- a//organizations/latest/userguide/orgs_manage_policies_backup_syntax.md +++ b//organizations/latest/userguide/orgs_manage_policies_backup_syntax.md @@ -116 +116,5 @@ Backup rule elements Element | Description | Required -`scan_actions` | Specifies whether a scanning action is enabled for a given rule. You must specify a `Malwarescanner` and `ScanMode`. You must use `scan_settings` in the backup policy elements in conjunction with `scan_actions` in order for scanning jobs to start successfully. Please also ensure you have the right [IAM role permissions](https://docs.aws.amazon.com//aws-backup/latest/devguide/malware-protection.html#malware-access). | No +`scan_actions` | Specifies whether a scanning action is enabled for a given rule. You must specify a `ScanMode`. You must use `scan_settings` in the backup policy elements in conjunction with `scan_actions` in order for scanning jobs to start successfully. Please also ensure you have the right [IAM role permissions](https://docs.aws.amazon.com//aws-backup/latest/devguide/malware-protection.html#malware-access). + + * `ScanMode`: This will specify what scan type you want to run at the frequency of your backup plan rule. You can choose between `INCREMENTAL_SCAN` or `FULL_SCAN`. + +| No @@ -230 +234 @@ Backup plan tag elements Element | Description | Required -The `scan_settings` policy key specifies the tags that are attached to a backup plan itself. This does not impact the tags specified for `rules` or `selections`. +The `scan_settings` policy key specifies the configuration for malware scanning using Amazon GuardDuty Malware Protection for AWS Backup. You must use `scan_settings` in conjunction with `scan_actions` in your backup rules for scanning jobs to start successfully. @@ -232 +236 @@ The `scan_settings` policy key specifies the tags that are attached to a backup -Backup plan tag elements Element | Description | Required +Scan settings elements Element | Description | Required @@ -234 +238,35 @@ Backup plan tag elements Element | Description | Required -`scan_settings` | Each tag is a label consisting of a user-defined key and value: Configuration options for scan settings. Currently the only scan settings that is support is enable Amazon GuardDuty Malware Protection for AWS Backup. You must specify the `Malwarescanner`, `ResourceTypes`, and `ScannerRoleArn`. | No +`scan_settings` | Configuration options for scan settings. Currently the only scan settings that is supported is enabling Amazon GuardDuty Malware Protection for AWS Backup. You must specify the `ResourceTypes` and `ScannerRoleArn`. + + * `ResourceTypes`: This will filter malware scanning to the resource selection criteria you have chosen. You can use `EBS`, `EC2`, `S3`, or `ALL`. + * `ScannerRoleArn`: This role is passed by AWS Backup to Amazon GuardDuty when a scan is initiated, providing access to backups. View [malware protection access](https://docs.aws.amazon.com//aws-backup/latest/devguide/malware-protection.html#malware-access) to see the full list of permissions required. + +| No + +**Example:** + +The following shows how to configure `scan_actions` in a backup rule and `scan_settings` at the plan level to enable Amazon GuardDuty Malware Protection scanning. + +`scan_actions` in a rule: + + + "scan_actions": { + "GUARDDUTY": { + "scan_mode": { + "@@assign": "INCREMENTAL_SCAN" + } + } + } + +`scan_settings` at the plan level: + + + "scan_settings": { + "GUARDDUTY": { + "resource_types": { + "@@assign": ["EBS"] + }, + "scanner_role_arn": { + "@@assign": "arn:aws:iam::$account:role/MyGuardDutyScannerRole" + } + } + } @@ -253,0 +292,2 @@ The example backup policies that follow are for information purposes only. In so + * Example 8: Backup plan with Amazon GuardDuty Malware Protection scanning + @@ -1276,0 +1317,108 @@ The Boolean logic is similar to what you might use in IAM policies. The `"resour +### Example 8: Backup plan with Amazon GuardDuty Malware Protection scanning + +The following example shows a backup policy that enables Amazon GuardDuty Malware Protection scanning on backup recovery points. The policy uses `scan_actions` in the rule to enable scanning and `scan_settings` at the plan level to configure the scanner. + +To use this feature, you must have the appropriate IAM role permissions. For more information, see [Access](https://docs.aws.amazon.com//aws-backup/latest/devguide/malware-protection.html#malware-access) in the _AWS Backup Developer Guide_. + + + { + "plans": { + "Malware_Scan_Backup_Plan": { + "regions": { + "@@assign": [ + "us-east-1", + "us-west-2" + ] + }, + "rules": { + "Daily_With_Incremental_Scan": { + "schedule_expression": { + "@@assign": "cron(0 5 ? * * *)" + }, + "start_backup_window_minutes": { + "@@assign": "60" + }, + "target_backup_vault_name": { + "@@assign": "Default" + }, + "lifecycle": { + "delete_after_days": { + "@@assign": "35" + } + }, + "scan_actions": { + "GUARDDUTY": { + "scan_mode": { + "@@assign": "INCREMENTAL_SCAN" + } + } + } + }, + "Monthly_With_Full_Scan": { + "schedule_expression": { + "@@assign": "cron(0 5 1 * ? *)" + }, + "start_backup_window_minutes": { + "@@assign": "60" + }, + "target_backup_vault_name": { + "@@assign": "Default" + }, + "lifecycle": { + "delete_after_days": { + "@@assign": "365" + } + }, + "scan_actions": { + "GUARDDUTY": { + "scan_mode": { + "@@assign": "FULL_SCAN" + } + } + } + } + }, + "selections": { + "tags": { + "scan_selection": { + "iam_role_arn": { + "@@assign": "arn:aws:iam::$account:role/MyBackupRole" + }, + "tag_key": { + "@@assign": "backup" + }, + "tag_value": { + "@@assign": [ + "true" + ] + } + } + } + }, + "scan_settings": { + "GUARDDUTY": { + "resource_types": { + "@@assign": [ + "EBS" + ] + }, + "scanner_role_arn": { + "@@assign": "arn:aws:iam::$account:role/MyGuardDutyScannerRole" + } + } + } + } + } + } + +The key points in this example are: + + * `scan_actions` is specified inside each rule. The scanner name `GUARDDUTY` is used as the key. The daily rule uses `INCREMENTAL_SCAN` and the monthly rule uses `FULL_SCAN`. + + * `scan_settings` is specified at the plan level (not inside a rule). It configures the scanner role and resource types to scan. + + * The `scanner_role_arn` must reference an IAM role with the `AWSBackupGuardDutyRolePolicyForScans` managed policy attached and a trust policy that allows the `malware-protection.guardduty.amazonaws.com` service principal to assume the role. + + + +